Election officials around the country are working diligently to ensure the elections on November 8th are fair, accurate, accessible and reliable. Ensuring the security and integrity of the electoral process is always a critical part of these preparations, particularly so with recent events serving as a reminder of the need to adapt to new and emerging threats.
To do our part, the EAC is working with our federal partners at NIST, DHS and DOJ to provide information to help election jurisdictions address any specific cyber security threats relevant to this year’s Presidential Election. Through that partnership, and in collaboration with state and local election officials, we’ve shared suggested practices to better secure the election systems and procedures.
The EAC created the Elections Security Preparedness webpage to share those resources with election officials. Some of the resources include information developed by DHS on Securing Voter Registration Data, Best Practices for Continuity of Operations (Handling Destructive Malware), and Ransomware: What It Is and What To Do About It. Further, we’ve engaged election officials and experts within the VVSG Public Working Groups to obtain additional information on current and recommended best practices to make elections secure and resilient.
As you cross your t’s and dot your i’s in your final preparations for Election Day here is a reminder of a few areas to double check and resources available for those areas:
Contingency Planning
As Merle King from GA’s Center for Election Systems likes to say, "Election planning is contingency planning." Confirm that your jurisdiction has Continuity of operations plan in place and that it is up to date. As part of these plans, know how you and your jurisdiction would respond to incidents that compromise the availability or integrity of important election systems on Election Day, including voter registration databases (VRDBs), electronic pollbooks (ePBs), and Election Night Reporting (ENR) systems. Run your plan by your county Chief Information Officer, and/or State resources to ensure it covers the necessary areas of IT continuity of operations planning. There are also examples of continuity of operations plans and other resources available on the EAC’s Contingency Plans webpage.
Additional information on the procedures used by your colleagues for contingency planning is available in the EAC quick tip guide on contingency and disaster planning.
Backups
Maintain electronic and/or hard-copy backups of critical election information. Ensure State and local VRDBs are backed-up regularly. Each election official should maintain a printed copy of the most up-to-date list of eligible voters from the VRDB.
EAC has a checklist available for securing your VR Database that includes the need for backups as well as the DHS resources linked above.
Physical Security
Control all physical access to the election system from the public and unauthorized staff. Check your procedures for protecting the tabulation equipment, memory devices, access panels, ports, ballot boxes, voter registration records and ballot storage leading up to and including Election Day, including the use of tamper-evident seals to ensure they maintain the proper level of access control and physical security. Keep close track of your chain of custody procedure as well as a verification process to detect any tampering of the seals and/or equipment they are protecting.
Additional information is available within Chapter 3 (Physical Security) of the EAC’s Election Management Guidelines.
Testing
Test the equipment thoroughly using real-life processes and procedures. Testing should be conducted after any updates and patches have been applied to the system. Testing can catch unattended changes to the system before it is deployed. For voting equipment, conduct public logic and accuracy (L&A) tests.
Additional information on the procedures used by your colleagues for testing election systems is available on the EAC Managing Election Technology webpage.
Audits
Conduct audits on the systems. Monitor access to, review logs of, and validate processes for the systems. Maintain records and data for the necessary timeframe. For voting systems, conduct post-election audits according to State law and local procedures. If you don’t have any mandated audits, a best practice is to conduct a post-election L&A test to validate that equipment is still functioning properly and as intended.
Additional information on the procedures used by your colleagues for election auditing is available as part of EAC’s quick tip guide on conducting election audits.
Media Handling
Use clean, dedicated media (e.g., USB flash drives) to transfer data to and from voting systems. When resources allow, media used to transfer election results to Election Night Reporting (ENR) systems should be single-use.
Based on the feedback from election officials, and as part of our ongoing efforts to assist State and local election officials, the EAC and NIST will continue to collaborate with jurisdictions to provide them with resources and best practices on securing election systems.